Hiring a CISO is not an easy task, but with more executive managers realizing the value of having an executive level information security position and cybersecurity regulations like 23 NYCRR 500 requiring it, finding qualified candidates is paramount.
The CISO is an executive who provides expert guidance to other C-level executives on matters of risk, compliance, and information protection from a strategic and tactical business objective perspective. Security practitioners are typically technical in nature, but do not generally have access to C-level executives, so the CISO position can help fill in this gap.
Nevertheless, the CISO position can be tough to fill, especially when enterprises set high expectations for the candidates.
A security professional could potentially grow into the position. However, the Peter Principle — the theory that a candidate for a job is more likely to be judged based on their performance in their current position rather than their actual qualifications for the job they applied for — is generally the reason internal upward mobility to the CISO position has had limited success. So what qualities, experience, and educational background should a prospective CISO have?
CISO Qualities and Experience
Ideally, a CISO should have a combination of business and technical skills that allow for competent contributions and guidance with both IT and executive management. A successful CISO will be able to incisively translate technical challenges and strategies into business terms. Some specific recommended qualifications for a CISO include:
- A degree in accounting, MBA, CIS, or Information Security
- CPA, CISSP, CISM, CISA, PMP certifications
- CFE, CEH, GPEN, CRISC specialized certifications
- Ten years minimum experience
- CISO, information security engineer, or security consultant
- Big 4 senior managers or partners from the systems assurance would be a plus
- ISSA, ISACA, (ISC)2, OWASP, or CISO forums memberships
As difficult as it may appear to find an individual with this background, these qualifications can make or break their success in the role. A candidate for a CISO position needs to be a team player, diplomatic, and confident. They should have high technical acumen and be passionate about information security, but not so quixotic or dogmatic that it would call their credibility into question. CISOs need to understand business, especially the business culture, goals, and strategies of the enterprise. They need to build a work environment in which the employees share — or at least support — their passion for information security. They must be able to make decisions and not kowtow to executives.
This may be a daunting task and not every organization needs this position in-house. CCSI understands the qualifications of a CISO, the DFS Cybersecurity regulations, and is here to assist. Contact us today for more information on our vCISO services.
For additional information download this free whitepaper: How to Approach the New York State Department of Financial Services Cybersecurity Requirements

Coauthor Bio:
Larry Bianculli is managing director of enterprise and commercial sales at CCSI. He has 20 plus years experience in the IT Industry helping clients optimize their IT environment while aligning with business objectives. He has a vast experience in many verticals including Financial, Public Sector, Health Care, Service Provider and Commercial accounts. He has helped customers and lead teams with a balanced approach to strategy & planning, execution, and personal principles.

Coauthor Bio:
John Busso is a Senior Network Engineer/Mobility Specialist at CCSI. He has almost 20 years experience providing secure voice and data solutions. John has been a Subject Matter Expert for Enterprise Mobile Solutions such as Guest WiFi and BYOD, providing vision for diverse clients.
John has been an Adjunct Professor and trainer. He holds numerous Industry certifications, including CISSP CWNP, CCNP, ACMP and ITIL. His experience includes working with retail, TNL-Couriers, DC’s and Airports, Healthcare, Education, DOD, Local Government, Financial, Non-Profit-Public WiFi, Entertainment and Hospitality industries. His expertise is in mobility, security, WLAN, WAN, LAN, VoWiFi, RFID, RTLS, WIPS, WIDS, DAS, licensed/unlicensed PTP and PTMP networks.